Restrict command to run

sunhui · 05-25-2006, 02:34 AM

If I want to limit the user can only run part of comamnd in /usr/bin , is it possible ? for example , if I want to limit the user can't use the command /usr/bin/wget , /usr/bin/gcc etc, what can I do ? thx

vls · 05-25-2006, 02:53 AM

Remove the read and execute bit from the 'other' field of the file permissions on the particular binary:

Shell command:

Quote:

$ chmod 750 /usr/bin/wget

or

Quote:

$ chmod o-rx /usr/bin/wget

jschiwal · 05-25-2006, 02:57 AM

I haven't tried it on binaries, but if the files are on a file system that can use ACLs, you could remove read and execution access for certain users.
read through the man pages for the commands "getfacl" and "setfacl". You may need to install a acl package if it isn't by default.

vls · 05-25-2006, 03:13 AM

Quote:

Originally Posted by jschiwal

I haven't tried it on binaries, but if the files are on a file system that can use ACLs, you could remove read and execution access for certain users.
read through the man pages for the commands "getfacl" and "setfacl". You may need to install a acl package if it isn't by default.

Ah, yes. My solution would wack all users.

Okay, Non-ACL solution.
Remove the permission as I provided.
Create a special group for users who get to run the command and add them to that group with execute permission. Not too elegant, I know, but you could come up with a script to automate the task I'm sure.

Hmm, does sudo let one restrict command access on basic commands?

jschiwal · 05-25-2006, 04:06 AM

Quote:

Hmm, does sudo let one restrict command access on basic commands

aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi, /usr/bin/less
This prevents a person authorized to use sudo from using these programs which provide shell escapes.
entering the commands "!/bin/bash" would give the user full root access.
I don't know how good this protection is. For example, if they copied the command somewere else, could they execute it then?

Look in the "man 5 sudoers" man page for details.